Sustainability Risk: A Governance Mandate for the Mid-Tier
Why Governance Architecture Is the New Requirement
For mid-tier institutions, sustainability pledges are a commodity. Governance structures that survive a regulatory audit, however, are a rarity.
For any CRO paying attention, this is no longer theoretical. Regulators, investors, and counterparties have moved beyond asking whether you acknowledge climate risk. They are asking how that risk is governed within your Three Lines of Defense, who is accountable for it in your Risk Appetite Statement, and what evidence exists to prove your oversight is functioning.
For many mid-tier firms, these questions expose a structural gap. Sustainability has been discussed, disclosed, and marketed — but it has not always been embedded into the governance architecture where financial risk is actually managed.
The Organizational Limbo Problem
Global Tier-1 banks have spent a decade building internal climate-risk infrastructure. Mid-tier institutions occupy more difficult terrain: you face the regulatory complexity of the giants but without the dedicated overhead. As a result, sustainability risk frequently exists in organizational limbo. It sits in Corporate Responsibility, Investor Relations, or a standalone sustainability function that reports through a non-risk channel. This is a structural failure. When a risk sits outside the Principal Risk Taxonomy, it is not being managed; it is merely being observed. For a CRO, observation is not a strategy — it is a liability. It remains invisible until scrutiny begins.
The gap between stated commitment and demonstrated governance remains wide. The FSB’s 2023 TCFD Status Report notes thatclimate-related governance disclosures - such as board oversight - have increased significantly, yet overall alignment with the TCFD recommendations and the integration of climate risk into core risk and financial processes remains limited.
It is a pattern that is widely recognized across the industry. An institution's sustainability report may run to sixty pages, its public commitments may be extensive, and its senior leadership may speak fluently about climate risk — yet its Board Risk Committee papers contain no documented challenge on a single climate-related risk decision. Disclosure quality and governance quality are not the same thing. Regulators have learned to look for the difference.
When Governance Gaps Become Capital Events
The supervisory direction is not ambiguous. The ECB's 2020 Guide on Climate-Related and Environmental Risks set out explicit expectations for how banks should embed climate risk into governance, risk appetite, and internal capital processes — expectations that have since been reinforced through supervisory review cycles and institution-specific feedback letters.
In the UK, the PRA's supervisory statement SS3/19 established clear expectations for board-level governance of climate-related financial risks, with subsequent Dear CEO letters reinforcing the expectation that firms demonstrate - not merely assert - governance integration.
In the US, the Federal Reserve's November 2023 climate scenario analysis for the six largest banks signals the direction of travel for the broader supervised population.
The failure modes are typically not about intent — they are about mechanics:
Unclear Board Oversight: Boards may acknowledge risk, but they lack structured reporting or documented challenge processes. If you cannot point to a specific Board Risk Committee decision or escalation, you have no demonstrable oversight.
Taxonomy Fragmentation: Sustainability risk sits as a sidecar to the core taxonomy. It is not embedded in the controls, stress testing, or reporting systems that underpin the Enterprise Risk Management framework.
Weak Defensibility: Processes may exist in theory, but the audit trail does not. In a regulatory exam or Skilled Persons Review, if it is not documented, it did not happen.
Balance Sheet Blind Spots: This is where reputation risk ends and capital exposure begins. Without translating transition risk into Risk-Weighted Asset calculations or IFRS 9/CECL provisioning, you are flying blind on credit deterioration.
The Balance Sheet Connection
The capital implications are more direct than many boards currently appreciate.
A supervisory finding on governance weakness does not stay in the governance column — it travels. A poorly governed climate risk can trigger a Pillar 2 capital add-on, elevate a firm's Internal Capital Adequacy Assessment Process (ICAAP) burden, and introduce additional supervisory scrutiny across the risk framework. For mid-tier institutions operating with tighter capital buffers than their Tier-1 peers, that is not a theoretical cost. It is a competitive disadvantage.
The credit portfolio implications are equally concrete. Transition risk — the financial exposure created by shifts in policy, technology, and market preferences away from carbon-intensive activities — is not a "green" issue; it is a credit issue. For example, in commercial real estate (CRE) particularly, energy inefficiency is fast becoming a precursor to asset impairment and "stranded" valuations. Institutions that cannot demonstrate they have assessed and documented these exposures are increasingly vulnerable, not only to supervisory challenge but to the kind of investor scrutiny that affects funding costs and valuation multiples.
The funding cost implications are becoming more direct as institutional investors incorporate governance quality into their capital allocation decisions.
BlackRock's stewardship guidance makes clear that it expects boards to provide evidence of how they oversee financially material risks - including climate-related risks — and how those risks are incorporated into corporate strategy and risk management. For mid-tier institutions that rely on capital from large asset managers, those expectations are no longer relevant only to their larger peers. They translate into direct implications for funding access, cost of capital, and balance sheet resilience.
The ARCHITECT™ Governance System
Effective sustainability governance is not a parallel workstream. It is an industrialization of oversight.
I developed the ARCHITECT™ Governance System to help firms move from emerging to advanced governance maturity. The system evaluates governance across six pillars:
A — Accountability Explicitly defining which executive functions and Board committees own the risk. This means moving beyond a "Sustainability Lead" to named risk owners with defined escalation paths and Three Lines of Defense clarity.
R — Risk Integration Embedding sustainability directly into the Principal Risk Taxonomy. It must be integrated into control frameworks and treated with the same rigor as credit, market, or operational risk.
C — Capital Exposure Moving from narrative to numbers. This requires understanding how climate and transition risks affect financial position — specifically credit exposure analysis, provisioning, and RWA implications.
H — Horizon Scanning A structured, repeatable process to monitor the shifting regulatory landscape and market transitions. The goal is to anticipate the mandate, not reacting to the news.
I — Information and Reporting Delivering decision-quality data to the Board. This means moving away from 50-page ESG narratives toward Board Risk Committee-ready dashboards with clear escalation triggers and limit-breach reporting.
T — Transparency and Defensibility Building the audit trail. This is the documentation of evidence of challenge - the proof of how risks were identified and how materiality was assessed. This is your primary shield under regulatory scrutiny.
The ARCHITECT™ Governance System — Walsh SRA's methodology for evaluating governance maturity for climate and sustainability-related financial risk.
What This Means for Mid-Tier Institutions
We have moved past the awareness phase. Reporting came next. Now the hard question is governance — and most institutions are not ready for it.
For mid-tier banks and insurers, the proportionality excuse is expiring. Regulators and investors expect you to demonstrate that sustainability risk is governed within the core architecture of your firm.
The firms that address this now will be better prepared when regulators and investors start asking harder questions. The firms that wait will find those conversations more expensive - and the gaps more difficult to close under scrutiny.
Questions to Ask Yourself
The governance gap is rarely visible from inside an institution until scrutiny begins. Before your next Board Risk Committee meeting, ask:
Can we identify who specifically owns climate and sustainability risk at executive and board level?
Is sustainability risk embedded in our Principal Risk Taxonomy — or does it sit outside core ERM?
Could we produce documented evidence of board-level challenge in a climate-related decision?
Do we understand how transition risk affects our credit exposure or provisioning assumptions?
If a regulator asked for our governance evidence tomorrow, what would we produce?
If the answers are unclear, the governance gap is real.
If you are not certain how your governance would perform under supervisory review, the ARCHITECT™ Governance Maturity Assessment provides a structured starting point. It takes two to three weeks and produces a clear picture of where your governance stands - and where it needs to go.
Start Your Governance Maturity Assessment
Brendan Walsh is the founder of Walsh SRA and creator of the ARCHITECT™ Governance System. He brings more than 30 years of global executive leadership in regulated financial services, including senior roles at American Express spanning the US, Europe, and Asia, and advisory experience with regulated institutions including the UK's Office of Gas and Electricity Markets (OFGEM). He holds a Master's degree in Sustainability from Harvard University and is credentialed by GARP in both Sustainability and Climate Risk (SCR) and AI Risk. Walsh SRA advises mid-tier financial institutions on governance frameworks for climate and sustainability-related financial risk.
